sign up log in
Want to go ad-free? Find out how, here.

Exploding pagers and spying cranes in ports: Trusting your infrastructure can be dangerous

Technology / analysis
Exploding pagers and spying cranes in ports: Trusting your infrastructure can be dangerous
[updated]
Cellular crane modem
One of the cellular modems found on ZPMC cranes.

Media reports are coming in about a second wave of exploding communications devices used by Iran-backed Hezbollah in Lebanon, walkie-talkies this time. The reports say there were extensive casualties, with 14 dead and 450 wounded.

Following the earlier pager explosions in Lebanon, the gruesome events underline that "supply chain warfare" can be devastatingly effective and very difficult to prevent. 

Supply chain compromises are nothing new however, and they can take different forms which operators of critical infrastructure must pay attention to.

In New Zealand, a spokesperson for the Port of Auckland authority confirmed the operation of its new cranes was delayed because of malware found on them after delivery.

"Our crane and cyber experts did thorough inspections of the ZPMC cranes on their arrival in 2019. Some malware was found and subsequently eradicated which is why the three new cranes took longer to be commissioned than originally anticipated."

"Our cyber security team at the port, alongside some independent experts, continue to perform regular reviews to ensure port security," the spokesperson said.

Further details on the malware in question were not provided. The National Cyber Security Centre was contacted for comment on this and the story will be updated if and when a response is available.

The crane story has been brewing for months now. Most recently, the United States House of Representatives and Department of Homeland Security released a report on the cranes made by China's state owned Zhenhua Heavy Industry - ZPMC - saying cellular modems had been found installed on ones designated for American ports.

"Throughout the course of the investigation, the Committees uncovered that cellular modems— connected to Linux computers on port cranes — were found on some ZPMC cranes delivered from China to the United States," the report said.

Port operators believed that the modems were installed to collect usage data and for diagnostics purposes, but they were not part of existing crane contracts or needed for their operation.

This could well be the case, but as the report authors point out, the information "created an obscure method to collect information and bypass firewalls in a manner that could disrupt port operations."

Nobody wants to take responsibility for the modems, with both ZPMC and its partner, Switzerland's ABB, denying any knowledge of them. The report said it's an "open secret among ports and terminal operators that throughout the process of procuring a ZPMC crane, they will be pressured to provide remote access - under the auspices of monitoring and diagnostics."

Oddly enough, the report doesn't say which cellular telco network the modems would connect to, an important technical detail that would be relatively easy to ascertain.

Supply chain security concerns are everywhere. 

On the software side, supply chain attacks have become increasingly common and troublesome with many variations on the same theme. The SolarWinds attack a few years back that saw thousands of IT systems at important organisations like the US Treasury compromised, and which cost over US$100 million in direct charges to fix, is a good example.

Furthermore, re-using code so as not to reinvent the wheel is the norm for programmers; what if you can't trust the code you reuse though?

That's really at the crux of the matter: trust, and the undermining thereof. Supply chain attacks and compromises create an erosion of trust that can and will be exploited politically, because security isn't something anyone can ignore, particularly at the national level.

It doesn't mean there are easy fixes for situations when national security demands action, as the United States experience with ripping out and replacing Chinese gear made by Huawei and ZTE in telco networks has shown. Long story short, that whole programme looks like it's been filed in the too-hard drawer.

For a country that's so dependent on overseas supply chains such as New Zealand, we really do need to continue to pay attention to the potential threat, and ensure that agencies share information with each other and coordinate whenever possible. It's an additional pain that nobody asked for, and will add to the cost of business and lengthen lead times, but that's humanity for you.

Update: NCSC sent the following comment:

"The National Cyber Security Centre (NCSC) works closely with hundreds of nationally significant organisations to improve their cyber resilience and reduce their vulnerability to attack.

One of the ways we do this is through Security Information Exchanges (SIEs). These exchanges are trust groups of the NCSC that are organised into some of New Zealand’s critical sectors, including transport and logistics. The purpose of these are to support organisational cyber resilience through industry information sharing and discussions of best practices.

Additionally, through our international partnerships, we become aware of cyber security issues affecting particular sectors or types of systems and when we do, we engage directly with the relevant organisations or sectors as appropriate."

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

21 Comments

So a non-comment from NCSC then.

Up
3

Pagers that want "bang bang" time in your pants and walkie talkies that are intent on blowing your mind.

Hats off literally, to Mossad!

 

Both Ukrainian and Isresli military intelligence are at peak brain and warcraft.

Shows what can come from surviving in a tough neighbourhood!

We are not far behind with Kiwi "can do" ingenuity!

Up
7

Quite incredible. It sounded like something from a far out spy/scifi movie. 4000+ people never noticed any tampering of their devices before it happened..... 

It is also quite scary though:

Our cars, phones, tvs, infrastrucure and our entire supply chains could in future be compromised by a third party and used against us in an attack. Wars today might be very different to those before .

Good new series on bbc at the moment - nightsleeper - where a whole train gets hacked and taken over. When I started watching I was thinking of it as scifi.. in light of mossads work I am thinking to jump in my older non techie car.

Up
6

Despite all the moaning it was probably the most highly targeted way Israel/Mossad could go after Hezbollah with the least collateral damage.

 

Catching the Iranian ambassador with a Hezbollah pager though, that deserves a chef's kiss.

Up
8

Er with most IoT devices they are already part of a botnet. Assuming your devices are not already hacked or opened up to remote tampering in some way is already a flaw in security.

Even household security cameras come with low levels of security and can be updated remotely to overheat and burn... most people don't care

Up
0

Celebrating an act of State Terrorism is not a good look.

Up
14

... are you confusing war with state terrorism ... recall Hezbollocks stated ambition to totally destroy Israel ... 

Up
7

War/terrorism... Semantics.

Up
5

Have the nations of Israel & Lebanon declared war? No, so it is a State using terror against citizens of another nation. 

Up
0

When they've been firing rockets at you for a year it seems a pretty targeted and restrained attack to me. Would you rather see airstrikes or a ground assault? 

Up
3

Lol peak warcraft maybe. If we were at peak brain we'd be doing things a whole lot different and using technology in much better ways.

Up
2

Given the global interconnectedness for supply, inserting all sorts of unexpected functionality in to products at source is likely to be a way forward in warfare.

It's also not entirely different that the tracking and other features routinely inserted in to products by the manufacturers to harvest our data...

Just as a historical factoid: Israeli Intelligence's Unit 8200 is (supposed) to have been able to insert malware in to the centrifuge controller systems in Iran's nuclear programme that somehow induced a prolonged over-speed that caused the bearings to fail, delaying the production of nuclear materials by years - and from what I've read, no-one can yet figure out how they crossed from the software to the physical control of the equipment without anyone noticing until after the event.

Up
2

Israel is an OECD country, Hezbollah is an organisation New Zealand lists as terrorists.

 

It isn't surprising to me that Israel would seek to use highly targeted attacks that minimised civilian casualties. As you've seen in Gaza conventional warfare is very messy and consequently generates substantial negative media coverage. Advanced countries are getting better at using technology from the R9X missile to exploding pagers.

 

War will always be a dirty business but advanced countries with elected governments have to hold themselves to some sort of reasonable ethical standard in how they go about wars.

Up
9

"...highly targeted attacks that minimsed civilian casualties..."

you think?

https://www.bbc.com/news/articles/cz04m913m49o

 

The Rules of War include 

3. Prohibit targeting civilians. Doing so is a war crime.

4. Recognize the right of civilians to be protected from the dangers of war and receive the help they need. Every care must be taken to avoid harming them or their houses, or destroying their means of survival, such as water sources, crops, livestock. 

https://www.redcross.org.nz/about-us/what-we-stand-for/international-hu…

Up
5

That's not an issue because it won't be classed as indiscriminate attack. They aren't firing unguided rockets at cities after all!

 

CCW Protocol II is what you're looking for, it deals with the legality of using boobytrapped devices. Article 7, the question of legality essentially boils down to if the devices (pagers and radios in this case) where purchased for civilians use or purchased/issued for military use. If they where purchased by civilians for civilian use what Israel has done is illegal. If they where purchased by Hezbollah for military use then what Israel has done is legal.

 

The key additional consideration here will likely be if Israel make reasonable efforts to ensure the devices where only sold to Hezbollah (i.e. did they sell them directly to that organisation, did they make reasonable efforts to prevented them from being onsold etc.) Based in the reports I've heard so far it appears that all the devices where issued to Hezbollah and operated in a way that made them substantially useless for civilian applications (i.e. they actually only ran on the signal network Hamas was operating.)

Up
6

"A global treaty, which has been signed by more than 100 countries including Israel, bans "the use booby traps or other devices in the form of apparently harmless portable objects that are specifically designed and constructed to contain explosive material".

https://www.abc.net.au/news/2024-09-20/exploding-pagers-walkie-talkie-b…

 

Up
2

Beyond wrecking Hezbollah's communications, I'd guess that the message is: 'don't trust anything from Hezbollah' who I'd imagine procured the comms equipment as a job lot and then distributed them to demonstrate their largesse to people who aid their cause in some way, even if they don't actually support the organisation.

So: while the consequences are horrible, it's hardly indiscriminate or specifically targetting civilians.

Unguided missile fire or unguided aerial area bombing is indiscriminate.

Up
8

Exactly. Pinpointed as you can get, to wipe out terrorists.  Expert execution, of a well-conceived plan.

The second objective is now load and clear. Don't screw with Israel !
 -  An important message when you are a sliver of a country, surrounded by 100million likely adversaries.

Up
3

Most IoT devices, (tvs, fridges, cameras, even lights etc) are already part of a botnet and malware regularly infects communications devices like mobile phones with forced updates also sneaking not only illegal malware or data leaks but also legitimate updates that reduce the security of such devices, cause them to overheat the batteries or just plain brick. Assuming your devices are not already hacked or opened up to remote tampering in some way is already a flaw in security.

Even household security cameras come with low levels of security and can be updated remotely to overheat and burn... most people don't care

Up
0

I care, one of the major requirement I have for buying sec. cam is that no internet connection is allowed.  I have setup a separate network for the video server and camera internally and they are forever banned from connecting to the internet, not even for any firmware updates, after the initial setup.  I am always amaze at people's seemingly gullible acceptances of things like Alexa, IoT, Huawei phones, BYD cars, DJI drones etc.  

Up
1

I've recently been designing a home, and the architect was very keen on selling me on the idea of elaborate building management systems - heating, ventilation and all the rest - and was first a bit offended I wouldn't trust his opinion on the need for expensive HVAC systems when I said a Hard No, then disbelieving of the problems, and then genuinely shocked after I sent him a number of articles on the hacking and sabotage of web-connected building systems.

Everything was going to be manual: nothing web connected.

People have no clue about the potential and actual mayhem in commercial building automation, let alone the virtually unprotected domestic environment.

https://www.darkreading.com/cyberattacks-data-breaches/lights-out-cyber…

Up
1